reference LINKS:

IMPACT ASSESSMENT:

Medium

Discussion:

When abusing the X-FORWARDED-FOR header, an attacker could bypass the lockout policy allowing a possible brute-force discovery of a valid user password.An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page.